Bug#425010: marked as done (mantis: Config file with CLEAR PASSWORD is world-wide readable!!)

Wed, 23 May 2007 08:41:26 -0700 

Your message dated Wed, 23 May 2007 15:32:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#425010: fixed in mantis 1.0.7+dfsg-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: mantis
Version: 1.0.6+dfsg-4.1
Severity: grave

After an upgrade of Mantis, the config file /etc/mantis/config_db.php
is world-wide readable and contains the clear password of my SQL
database!!!

Please urgently fix this as it creates a very big security hole.

The previous versions of Mantis was smarter:

  -rw-r-----  1 root www-data 1887 2007-05-18 11:27 config.php
         ^^^         ^^^^^^^^

I've 'chgrp www-data' and 'chmod 640' the new file
/etc/mantis/config_db.php and it's working.

Thanks.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.20-1-vserver-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages mantis depends on:
ii  apache                      1.3.34-4.1   versatile, high-performance HTTP s
ii  apache2                     2.2.3-4      Next generation, scalable, extenda
ii  apache2-mpm-prefork [apache 2.2.3-4+b1   Traditional model for Apache HTTPD
ii  dbconfig-common             1.8.33       common framework for packaging dat
ii  debconf                     1.5.13       Debian configuration management sy
ii  libapache2-mod-php5         5.2.2-1+b1   server-side, HTML-embedded scripti
ii  libphp-adodb                4.94-1       The 'adodb' database abstraction l
ii  libphp-phpmailer            1.73-3       full featured email transfer class
ii  php4-cli                    6:4.4.6-2+b1 command-line interpreter for the p
ii  php4-mysql                  6:4.4.6-2+b1 MySQL module for php4
ii  php5-cli                    5.2.2-1+b1   command-line interpreter for the p
ii  php5-mysql                  5.2.2-1+b1   MySQL module for php5

mantis recommends no packages.

-- debconf information:
  mantis/dbconfig-reinstall: false
* mantis/dbconfig-install: true
* mantis/remote/newhost: localhost
  mantis/title: Mantis
* mantis/url: http://localhost/mantis/
  mantis/upgrade-backup: true
  mantis/internal/skip-preseed: false
  mantis/install-error: abort
  mantis/internal/reconfiguring: false
  mantis/dbconfig-remove:
* mantis/bounce: [EMAIL PROTECTED]
* mantis/db_autoupdate: true
* mantis/ldap: false
  mantis/ldap_server: localhost
  mantis/version:
  mantis/from: [EMAIL PROTECTED]
  mantis/show_version: true
  mantis/root_mysql: root
  mantis/passwords-do-not-match:
  mantis/signup: true
* mantis/admin: [EMAIL PROTECTED]
* mantis/mysql/admin-user: root
* mantis/remote/port:
* mantis/username: mantis
  mantis/purge: false
* mantis/webmaster: [EMAIL PROTECTED]
* mantis/dbconfig-upgrade: false
  mantis/remove-error: abort
* mantis/remote/host: localhost
* mantis/purge_db: true
* mantis/db/app-user: mantis
* mantis/mysql/method: tcp/ip
  mantis/dn: dn=
  mantis/mysql_port: 3306
* mantis/webserver: apache
* mantis/db/dbname: bugtracker
* mantis/database-type: mysql
  mantis/upgrade-error: abort
* mantis/app_configure: true
  mantis/language: english
* mantis/mysql_server: localhost
* mantis/database: bugtracker
  mantis/organisation:
-- 
 ,''`.
: :' :      Cyril Bouthors
`. `'         Debian.org
  `-

Attachment: pgp35ZPWkKpgs.pgp
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: mantis
Source-Version: 1.0.7+dfsg-1

We believe that the bug you reported is fixed in the latest version of
mantis, which is due to be installed in the Debian FTP archive:

mantis_1.0.7+dfsg-1.diff.gz
  to pool/main/m/mantis/mantis_1.0.7+dfsg-1.diff.gz
mantis_1.0.7+dfsg-1.dsc
  to pool/main/m/mantis/mantis_1.0.7+dfsg-1.dsc
mantis_1.0.7+dfsg-1_all.deb
  to pool/main/m/mantis/mantis_1.0.7+dfsg-1_all.deb
mantis_1.0.7+dfsg.orig.tar.gz
  to pool/main/m/mantis/mantis_1.0.7+dfsg.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Schoenfeld <[EMAIL PROTECTED]> (supplier of updated mantis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 23 May 2007 15:33:14 +0200
Source: mantis
Binary: mantis
Architecture: source all
Version: 1.0.7+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Patrick Schoenfeld <[EMAIL PROTECTED]>
Changed-By: Patrick Schoenfeld <[EMAIL PROTECTED]>
Description: 
 mantis     - web-based bug tracking system
Closes: 408819 408822 408823 412115 414796 415158 420639 420841 425010 425034
Changes: 
 mantis (1.0.7+dfsg-1) unstable; urgency=low
 .
   * New upstream release
     - Includes some security fixes
     - Includes some minor bug fixes
     (Closes: #415158, #420639)
   * Added original re-licensed rss library
   * Added dependency on mysql-client. Thanks to Luca Falavigna for the patch
     (Closes: #420841)
   * Removed custom field disclosure patch, because it is part of upstream now
   * Changed modes of /etc/mantis/config_db.php to something more sane
     (Closes: #425010)
   * Fixed reinstallation by an additional if-clause in the pre-installation
     script (Closes: #408822)
   * Adding missing question about from-address to debian/config
   * Fixed deletion of configuration files during reconfigure (Closes: #408823)
   * Removed garbage from mantis.templates (Closes: #408819)
   * Changed include path in apache.conf to work in more constellations
     (Closes: #414796, #425034)
   * Added a note about the Administrator account information
    * [INTL:de] Updated German debconf translation.
     Thanks to Helge Kreutzmann. (Closes: #412115)
   * [INTL:pt] Portuguese translation for debconf messages
Files: 
 c393eca2ace3d53ca1103c8c3985fe82 606 web optional mantis_1.0.7+dfsg-1.dsc
 c14ca7cf8b4516b4c775dd0f0477f0c5 1245293 web optional 
mantis_1.0.7+dfsg.orig.tar.gz
 00dbb2da704b19549003462efcbc6e41 29422 web optional mantis_1.0.7+dfsg-1.diff.gz
 0ab0a7280c31c1be9f948b5f7532b18c 1277748 web optional 
mantis_1.0.7+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGVFsM+C5cwEsrK54RAt3fAKChkWBUNmGMpcUOJFzNhPszJfjMNQCffpgM
Y5IZ8E8b/x5xZGRiA6xeqis=
=44j0
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to